RSSResearchers find 80 different Android wallpaper apps skimming sensitive data
By Tim Conneally | Published July 29, 2010, 4:41 PM
While the superstar of the Black Hat USA 2010 security conference in Las Vegas this week was Barnaby Jack from IOActive showing off techniques for "Jackpotting" Windows CE-based ATMs, research from security company Lookout has had a much broader impact on consumers, especially those using Android smartphones.
Lookout's "App Genome Project" is an ongoing study of the millions of mobile applications available, the user data that they collect, and threats they present. During their research for the project, the team found a series of simple Wallpaper apps in the Android Market which were suspiciously collecting more data than they needed to.
"The wallpaper applications that we analyzed transmitted several pieces of sensitive data to a server over an unencrypted network connection. The data included the device's phone number, subscriber identifier (e.g. IMSI), and the currently entered voicemail number on the phone," Lookout CTO Kevin Mahaffey said today. "While this sort of data collection from a wallpaper application is certainly suspicious, there's no evidence of malicious behavior. There have been cases in the past on other mobile platforms where well-intentioned developers are simply over-zealous in their data gathering, without having malicious intent."
The group found more than 80 wallpaper apps that did this, and they all traced back to two developers "Jackeey" and "wallpaper," both of whom have since changed their names. The various apps are estimated to have been downloaded between one and four million times.
There's a good chance you have downloaded one if you're an Android user.
"While the data this app is accessing is certainly suspicious coming from a wallpaper app, we want to be clear that there is no evidence of malicious behavior," Mahaffey said today. He also said that Google is aware of the situation and is currently investigating the suspicious apps.
Imagine that, an app that changes your wallpaper for you doing something fishy. Who would've thought?
Oh, wait...
Score: -1
|Someone in the know needs to look at the News App. FOX News put out a week or two ago, That app wants access to almost everything.
Score: -1
|I do wonder whether the apps are ACTUALLY pulling ANYTHING, or if the researcher simply installed the apps and noted which security flags were being displayed during the install. Back when I got my Droid, I went to install one of these and noticed that it wanted access to something along these lines that left me wondering what was up. I tried another,same thing. Every one that I tried did this.
I went to one of the Android community forums and asked if anyone had any idea what was up with the wallpaper apps wanting access to these specific things, and a software developer in the thread did a bit of looking around and reported back that for whatever reason, for an app to be able to change the wallpaper, it has to request access to some of these things that would look a bit screwy for a wallpaper app. The "change wallpaper" function is apparently connected in some way to those other things. I'm not a developer, so he may be full of s***, but my point is that maybe this needs to be looked into more thoroughly than just assuming that because the security notice says the app wants access to personal data, something must be wrong. I would like evidence that these 80 apps actually are doing something nefarious, and/or that they're at least asking for access to things that aren't essential to changing the wallpaper.
Score: -1
|Now you know one of the reasons why Apple selects the software on it's store so much.
This might be the only valid reason tho...
Score: 0
|Yeah...and it has worked out *so* well for them.
Note: That was sarcasm.
Score: -1
|People actually need a app to change wallpaper on a droid? LMAO
Score: 1
|No, we don't need an app to change the wallpaper. We're perfectly well able through the OSes built-in configuration menu to just point it to any image file on the device. The apps in question just provide a well categorized easily browsed gallery of thousands of good quality attractive images that are already scaled and cropped, with an option to immediately download the image and set it as the current wallpaper all with one click.
What in ANY of this led you to conclude that these apps are necessary for changing the wallpaper?
Score: -4
|@ reidyn I know you don't need a app to change a wallpaper. I just think anyone who would use one is kind of goofy to say the least, Kind of like the myfastpc.com and sell your firstborn for farmville points crowd.
Score: 0
|You can sell your firstborn for farmville points? I need to look into that!
Score: -1
|Apparently these folks when they were learning to program for the Android skipped the section about best practices.
And zys123, you suck.
Score: 0
|...80 wallpaper apps?
Score: 2
|What 80 applications?
Score: 1
|